CALEA BoF:Some Introductory Comments Internet2/ESNet Joint TechsMinneapolis, 12:15, February 14, 2007 Joe St Sauver, Ph.D. (email@example.com) http://www.uoregon.edu/~joe/calea-bof/
Thanks For Joining Us Today for This BoF! • Let’s begin by going around the room, and having everyone briefly introduce themselves. Please give your name, and the name of the institution you’re with. • I’d also encourage you to sign in on the sheet that’s going around. • I’ll then show a few introductory slides to get things started • Finally we’ll open things up for the rest of this session’s time slot so that attendees can share what they’re thinking about when it comes to CALEA.
So Why Is Joe Leading This BoF? • The folks who were originally supposed to do this BoF were unable to be here, Russ knew that I’m scheduled to talk about CALEA at Terena in Denmark later this year, and I’m told you get a special merit badge after you lead three BoFs in a single meeting (e.g., Russ gently twisted my arm me into volunteering) • Why have this BoF now? Well, CALEA is very timely right now (as those of you who may have just filed CALEA paperwork no-later-than February 12th no doubt know). • Caution: I am not a lawyer and these introductory remarks should not be taken as being legal advice -- for legal advice on CALEA, I urge you to consult your attorneys! • Disclaimer: Any opinions expressed are solely my own, and should not be taken as representing the opinion of any other entity. • In any event, let’s dive in…
What Is CALEA? • We had an excellent CALEA talk earlier this morning, but just for post-hoc completeness, CALEA is the Communication Assistance for Law Enforcement Act of 1994, 47 USC 1001-1021 • Quoting the Federal http://www.askcalea.net/ web site, CALEA “defines the existing statutory obligation of telecommunications carriers to assist law enforcement in executing electronic surveillance pursuant to court order or other lawful authorization. The objective of CALEA implementation is to preserve law enforcement's ability to conduct lawfully-authorized electronic surveillance while preserving public safety, the public's right to privacy, and the telecommunications industry's competitiveness.” • Recent FCC administrative actions (and court decisions targeting those actions), have clarified that this 1994 law includes “facilities based broadband providers,” and under some circumstances, some higher education networks, but more on that in a moment.
Key CALEA Resource For Higher Ed • Educause has an excellent CALEA resource page for higher education users at http://www.educause.edu/calea and there is also a CALEA-HE mailing list for higher ed users which you can join via http://listserv.educause.edu/cgi-bin/wa.exe?A0=CALEA-HE • If you do nothing else after this BoF, be sure to check out that web site!
Deliverables and Dates • If (and only if) your campus network or state network is subject to CALEA, you have a number of new substantive and procedural responsibilities. Relevant dates for deliverables include:-- By February 12th, 2007, you should have filed FCC Form 445, “CALEA Monitoring Report for Broadband and VoIP Services”-- By March 12th, 2007, you will need to file the required “System Security and Integrity” (“SSI”) Plan (examples available on the Educause site)-- Finally, May 14th, 2007, is the deadline for full CALEA compliance. Full compliance will require meeting the requirements of the appropriate industry technical standard(s) (see http://www.askcalea.net/standards.html )
The Question of the Week: “Does My Campus Need to Be Compliant?” • Because everyone’s circumstances will differ, and because this is a very complex issue, this is a question that your administration will ultimately need to decide after consultation with your legal staff. Subtle differences in circumstances, or in the analysis of those circumstances, may lead seemingly identical entities to radically different conclusions. • A relatively large number of potential exemptions have been identified. Some of the exemptions your legal counsel may be considering include…
The Private Network Exemption • 47 U.S.C. 1002 (b)(2)(B) exempts "equipment, facilities, or services that support the transport or switching of communications for private networks.” Unfortunately, "private network" is not a term explicitly defined in the Act, and because the Internet is a series of interconnected hierarchical private networks, it can sometimes be difficult to ascertain exactly where a "private network" ends and "the public Internet" begins. • Clearly, a network which exists solely within a single building or facility and which does not interconnect with any networks owned or operated by other entities would be a "private network" for the purposes of CALEA. That sort of physically isolated private network is rare, however, and restricting it to just that one extreme type of "private network" would be unduly and unnecessarily limiting since the FCC has made it clear that the private network exemption potentially encompasses far more.
Private Network Exemption (2) • See footnote 100 on PDF page 19 of the FCC's "First Report and Order and Further Notice of Proposed Rulemaking" as adopted August 5th, 2005, FCC 05-153. Quoting from that footnote: Relatedly, some commenters describe their provision of broadband Internet access to specific members or constituents of their respective organizations to provide access to private education, library and research networks, such as Internet2's Abilene Network, NyserNet, and the Pacific Northwest gigaPoP. See, e.g., EDUCAUSE Comments at 22-25. To the extent that EDUCAUSE members (or similar organizations) are engaged in the provision of facilities-based private broadband networks or intranets that enable members to communicate with one another and/or retrieve information from shared data libraries not available to the general public, these networks appear to be private networks for purposes of CALEA. Indeed, DOJ states that the three networks specifically discussed by EDUCAUSE qualify as private networks under CALEA's section 103(b)(2)(B). DOJ Reply at 19. We therefore make clear that providers of these networks are not included as "telecommunications carriers" under the SRP with respect to these networks. To the extent, however, that these private networks are interconnected with a public network, either the PSTN or the Internet, providers of the facilities that support the connection of the private network to a public network are subject to CALEA under the SRP.
Private Network Exemption (3) • Institutions interested in relying on this exemption thus need to pay attention to the extent to which their private networks end up being publicly accessible, and to any interconnections between their private network and ether the public switched telephone network or the Internet. It is particularly worthy of note that at least in some cases a private institutional network may interconnect with a private regional network or private national network, and only with private regional or private national networks, and thus the institution may not be subject to CALEA compliance obligations. • Please see the American Council on Education (ACE)'s document “The Application of CALEA to Higher Education,” and ACE vs. FCC, U.S. Court of Appeals for the District of Columbia Circuit, No. 05-1404, June 9, 2006 particularly at PDF page 19 (noting that the private network exemption has not yet been challenged by the government).
Internet Gateway Compliance (Only) • At one point there was concern that universities would need to replace virtually all their network equipment to make it possible to do lawful CALEA interceptions within private networks themselves. • That is, if you wanted to be able to lawfully intercept traffic going from one local user to another local user, with both users connecting via the private network, it would not be sufficient to just be able to intercept traffic at the Internet gateway -- traffic exchanged between two local users would remain entirely within the local private network, and since it would never touch the Internet gateway, it would not be able to be lawfully intercepted. • In its second report and order, however, the FCC clarified that in fact private networks did in fact only need to be CALEA compliant at their Internet gateway.
Internet Gateway Compliance (2) • See, for example, the FCC's Second Report and Order and Memorandum Opinion and Order, Adopted May 3, 2006, FCC 06-56 at page 82, which states, Petitioners' professed fear that a private network would become subject to CALEA "throughout [the] entire private network" if the establishment creating the network provided its own connection between that network and the Internet is unfounded. The [First Report and Order] states that only the connection point between the private and public networks is subject to CALEA. This is true whether that connection point is provided by a commercial Internet access provider or by the private network operator itself.
Internet Gateway Compliance (3) • Thus, it is possible to envision a scenario whereby an institution's private network connects to a private regional network. • Given the gateway compliance rule, CALEA compliance is only required at the point where the private regional network interconnects with the public Internet or the PSTN, but that requirement also needs to be viewed in light of the Interconnecting Telecommunications Carriers Exemption.
Interconnecting Telecommunications Carriers Exemption • 47 U.S.C. 1002 (b)(2)(B) also exempts "equipment, facilities, or services that support the transport or switching of communications [...] for the sole purpose of interconnecting telecommunications carriers.” Thus, "equipment, facilities, or services that support the transport or switching of communications [...] for the sole purpose of interconnecting telecommunication carriers" would not be subject to CALEA. • But what is a "telecommunication carrier?" The FCC clarified this for CALEA purposes in rules it issued, see FCC 06-56 at page 45, section 1.20002 (e)…
Interconnecting Telecommunications Carriers Exemption (2) • Telecommunications carrier. The term telecommunications carrier includes: (1) A person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire; (2) A person or entity engaged in providing commercial mobile service (as defined in section 332(d) of the Communications Act of 1934 (47 U.S.C. 332(d))); or (3) A person or entity that the Commission has found is engaged in providing wire or electronic communication switching or transmission service such that the service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier for purposes of CALEA.
Interconnecting Telecommunications Carriers Exemption (3) • In considering those definitions, note that only one of two alternatives may logically be true: either an entity is a telecommunication carrier, or it isn't. • If the entity IS NOT a telecommunication carrier, it is not subject to CALEA (see, for example, Section 103(a) "Except as provided in subsections (b), (c), and (d) of this section and sections 108(a) and 109(b) and (d), a telecommunications carrier shall..." (emphasis added) and see also ACE vs. FCC, U.S. Court of Appeals for the District of Columbia Circuit, No. 05-1404, June 9, 2006, at PDF page 4.) • Thus a private regional network which would not be a telecommunications carrier would not be subject to CALEA compliance obligations (its upstream, if a public Internet provider or PSTN provider, would be).
Interconnecting Telecommunications Carriers Exemption (4) • If the entity IS a telecommunication carrier, when focusing on the Interconnecting Telecommunications Carriers Exemption, one should then ask, "Does the telecommunication carrier have equipment, facilities, or services that support the transport or switching of communications [...] for the sole purpose of interconnecting telecommunication carriers?" If so, then those equipment, facilities and services may ALSO not be subject to CALEA obligations. • So what, then, of a carrier-to-carrier equipment, facilities or services which also happen to be the "Internet gateway" for downstream private networks?
Last Mile Focus • This issue of network hierarchy and gateway compliance is also relevant in so far as CALEA's emphasis is on so-called "last mile" connectivity, not backbone interconnections between carriers. • Why is law enforcement not particularly interested in connections between backbone carriers for CALEA compliance purposes? • Backbone carriers lack the knowledge needed to identify the network traffic that may be associated with a named lawful intercept subject of interest ("All network traffic originated by or destined for Susan Marie Anderson of Wagonwheel, Oregon.”)
Backbone Carriers Simply “May Not Know” • To help explain why backbone carriers may not be able to identify traffic associated with a lawful intercept target, let's just consider a couple of scenarios:-- a backbone carrier often won't know what dynamically assigned IP address a named lawful intercept target might be using-- a backbone carrier won't be able to determine which user is associated with network traffic that's gone through a network address translation ("NAT") device • Thus, clearly from the perspective of the backbone operator, the network traffic the operator sees may in many cases not be readily attributable to a subject of law enforcement interest -- actually making those sort of associations requires the cooperation of the downstream last mile provider, but that provider may be exempt as the operator of a private network
A Strange Potential Situation • With that for background, now consider a scenario where:-- the institutional private network is exempt,-- the regional private network is exempt, and since-- compliance need only occur at the gateway from the private network to the public Internet (or PSTN), the "Internet gateway" might effectively end up “pushed up” to an interconnecting telecommunications carriers link, but that link may also have been exempted by CALEA (and if not, the carrier may simply not have access to the data they’d need to comply…) • One more potential exemption to mention…
Retail Establishment Exemption • A final potentially relevant exemption can be found in the so-called "coffee shop" exemption or "retail establishment exemption" described at paragraph 36 and footnote 99 on PDF page 19 of 59 of the First Report and Order, FCC 05-153 which states,Finally, in finding CALEA's SRP to cover facilities-based providers of broadband Internet access service, we conclude that establishments that acquire broadband Internet access service from a facilities based provider to enable their patrons or customers to access the Internet from their respective establishments are not considered facilities-based broadband Internet access service providers subject to CALEA under the SRP. [footnote 99] We note, however, that the provider of underlying facilities to such an establishment would be subject to CALEA, as discussed above.
Retail Establishment Exemption (2) • Footnote 99 reads: Examples of these types of establishments may include some hotels, coffee shops, schools, libraries, or book stores. DOJ has stated that it has "no desire to require such retail establishments to implement CALEA solutions," DOJ Comments at 36, and we conclude that the public interest at this time does not weigh in favor of subjecting such establishments to CALEA. • This exemption might provide additional grounds for some schools to assert that they are exempt from CALEA compliance obligations. Note, too, that it effectively deprecates the possibility of a hierarchy of exempt private networks, since the "provider of underlying facilities to such an establishment would be subject to CALEA" apparently as an absolute matter by this finding.
“What If We DO Need to Become CALEA Compliant?” • You can “roll your own” CALEA solution ala Merit (seehttp://www.merit.net/resources/documents/index.php?printvs=1 ) • You can purchase a commercial vendor solution (see some options at http://www.educause.edu/ir/library/pdf/EPO0708.pdf ) • You can employ a “trusted third party” to effect CALEA compliance for you (see for example the list athttp://www.educause.edu/ir/library/pdf/EPO0707.pdf ) • Which solution makes sense for a given site may be a technical, financial or political question. :-) • With that for background, what are your sites planning to do? What questions about CALEA do you have?